cisco_catalyst_2960
Table of Contents
Cisco Catalyst 2960G - Configuration
- Model: WS-C2960G-48TC-L
- Version: Version 15.0(2)SE6
Management / network configuration
Configure IP
- Configure management IP address on VLAN 10
conf t interface vlan10 ip address 1.2.3.2 255.255.255.0 exit ip default-gateway 1.2.3.1
Disable services
- Disable VTP.
conf t vtp mode off
- Disable clustering.
no cluster run
- Disable vstack.
no vstack
- Disable DHCP.
no service dhcp
- Disable HTTP/S server.
conf t no ip http server no ip http secure-server
- Disable small services (echo, discard, chargen…).
no service tcp-small-servers no service udp-small-servers
- Disable finger.
no ip finger
- Ignore bootp.
no ip dhcp bootp ignore
- Disable DNS lookups.
no ip domain-lookup
- Disable Packet Assembler/Disassembler (PAD).
no service pad
- Prevent loading config from TFTP service.
no service config
- Disable CDP and LLDP on untrusted interfaces.
conf t interface range gigabitEthernet 0/2-48 no cdp enable no lldp transmit no lldp receive
Enable services
- Keepalives for TCP Sessions.
conf t service tcp-keepalives-in service tcp-keepalives-out
Authenticated NTP
- Enable NTP.
conf t ntp authenticate ntp authentication-key 150 md5 ticktock ntp trusted-key 150 ntp server 1.2.3.50 key 150 ntp server 1.2.3.51 key 150 ntp source vlan10
- Linux NTP server config example.
#ntp.conf enable auth keys keys /etc/ntp.keys trustedkey 150 #ntp.keys 150 M ticktock
- Meinberg LANTIME M200 server example.
Using the web interface. - Go to tab 'NTP', then 'General Settings' - Local Trusted Keys: 150 - Go to 'NTP Symmetric keys', click 'Edit NTP MD5 keys' - Add: '#1 MD5 EXAMPLE 150 MD5 ticktock' - Click Save Settings.
- Verify NTP synchronisation.
#sh ntp associations address ref clock st when poll reach delay offset disp *~95.97.208.29 .PZF. 1 7 64 57 1.093 2.708 440.38 +~95.97.208.30 .PPS. 1 4 64 167 1.141 3.547 190.44 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured #sh ntp status Clock is synchronized, stratum 2, reference is 95.97.208.29 nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17 reference time is D7912CA6.D0C5123E (23:26:30.815 UTC Sat Aug 9 2014) clock offset is 2.7081 msec, root delay is 1.09 msec root dispersion is 7945.18 msec, peer dispersion is 440.38 msec loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000010 s/s system poll interval is 64, last update was 289 sec ago.
Deny client access to NTP server
- Create access lists to deny client access
! NTP access control ntp access-group query-only 1 ! deny all NTP control queries ntp access-group serve 1 ! deny all NTP time and control queries by default ntp access-group peer 10 ! permit time sync to configured peer(s)/server(s) only ntp access-group serve-only 1 ! deny all sync requests ! ! access control lists (ACLs) access-list 1 remark utility ACL to block everything access-list 1 deny any ! access-list 10 remark NTP peers/servers we sync to/with access-list 10 permit 95.97.208.29 access-list 10 permit 95.97.208.30 access-list 10 deny any !
Configure time zone
- Configure time zone for the Netherlands.
conf t clock timezone CET 1 0 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
- Verify.
sh clock detail .01:36:47.946 CEST Sun Aug 10 2014 Time source is NTP Summer time starts 02:00:00 CET Sun Mar 30 2014 Summer time ends 03:00:00 CEST Sun Oct 26 2014
Configure logging timestamps
- Configure timestamps.
conf t service sequence-numbers service timestamps debug datetime localtime msec show-timezone service timestamps log datetime localtime msec show-timezone
VLANs
Management
- Configure gigabitEthernet 0/1 for VLAN 10 (management).
interface gigabitEthernet 0/1 no shut switchport mode access switchport access vlan 10 description Management
Native VLAN
Per default the native VLAN is VLAN 1. Change the native VLAN to the unused VLAN 20.
- Change native VLAN to 20, for all interfaces
conf t interface range gigabitEthernet 0/1-48 switchport trunk native vlan 20
- Verify example:
sh interfaces gigabitEthernet 0/10 trunk Port Mode Encapsulation Status Native vlan Gi0/10 auto 802.1q other 20 Port Vlans allowed on trunk Gi0/10 none Port Vlans allowed and active in management domain Gi0/10 none Port Vlans in spanning tree forwarding state and not pruned Gi0/10 none
VLAN 1
- Shutdown VLAN 1.
conf t interface vlan1 shutdown
Ports
- Shutdown unused ports.
- No negotiate (DTP)
- Move them to an unused VLAN 20.
- Configure the range of ports:
conf t interface range gigabitEthernet 0/2-48 switchport mode access switchport access vlan 20 switchport nonegotiate shut
- Verify.
#show interfaces status Port Name Status Vlan Duplex Speed Type Gi0/1 Management connected 10 a-full a-1000 10/100/1000BaseTX Gi0/2 disabled 20 auto auto 10/100/1000BaseTX Gi0/3 disabled 20 auto auto 10/100/1000BaseTX Gi0/4 disabled 20 auto auto 10/100/1000BaseTX Gi0/5 disabled 20 auto auto 10/100/1000BaseTX Gi0/6 disabled 20 auto auto 10/100/1000BaseTX Gi0/7 disabled 20 auto auto 10/100/1000BaseTX Gi0/8 disabled 20 auto auto 10/100/1000BaseTX Gi0/9 disabled 20 auto auto 10/100/1000BaseTX ... <snip>
Access and authentication
PBKDF2 enable secret
- Configure PBKDF2 enable secret
conf t enable algorithm-type sha256 secret test12345
Configure serial console
When synchronous logging of unsolicited messages and debug command output is enabled, unsolicited device output appears on the console or printed after solicited device output appears or is printed. Unsolicited messages and debug command output appears on the console after the prompt for user input is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt.
- Configure serial console
line console 0 logging sync login local
Setup SSH / disable telnet
- Ensure that you have configured a host and domain name.
sh run | include hostname sh run | include domain-name
- Generate the RSA Keys
config t crypto key generate rsa How many bits in the modulus [512]: 2048
- Configure vty's, this will also disable telnet.
line vty 0 15 transport input ssh login local
- Configure the SSH server
conf t ip ssh version 2 ip ssh time-out 30 ip ssh authentication-retries 3
Login banner
- Configure login banner.
conf t banner login $Access for authorized users only! $ end
Configure users using strong password hashes
Thanks Dennis, for providing the correct syntax!
- Configure users
config t username example algorithm-type sha256 secret test1234 do sh run | i example username example secret 8 $8$yJq4f/MpacJJ.r$ZeCjRxMd6b3qKDrZ5tozyx8IJSV5B8B./LTbVAljEoA
Login Password Retry Lockout
- Configure AAA.
conf t aaa new-model aaa local authentication attempts max-fail 5 aaa authentication login default local
EXEC time-out
- Configure EXEC time-out in 5 minutes.
conf t line con 0 exec-timeout 5 line vty 0 15 exec-timeout 5
Logging
Disable logging to console
- The switch does not check if a user is logged into the console port or a device (for example, a terminal) is attached to it; if console logging is enabled, messages are always sent to the console port (causing CPU load).
conf t #no logging console
- Or rate limit logging!
Log events to syslog
- Event log to syslog.
conf t logging <host> logging trap <level>
Archive configuration
- Configure automatic archiving.
conf t archive path scp://<username>:<password>@<hostname>/<directory>/file- write-memory
SNMPv3
- Create access list to prevent access from other hosts:
ip access-list standard SNMP permit host <ip-address monitoring host> deny any log
- Configure SNMP Location & contact:
snmp-server location <location> snmp-server contact <email address>
- Configure SNMP View:
snmp-server view MIB-2 mib-2 included
- Configure SNMP group:
snmp-server group READONLY v3 priv read MIB-2
- Create SNMP user:
snmp-server user <username> READONLY v3 auth sha <passphrase> priv aes 128 <passphrase> access SNMP
To do
- bpdu guard
- Enable dhcp snooping
- Dynamic arp inspection on access ports
cisco_catalyst_2960.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1